Web browser security summary

This document will summarize the security vulnerability levels in the four most popular web browsers on Windows. The information was collected from
Secunia, a leading computer software security monitoring company. These statistics cover all reported vulnerabilities in Windows versions of Internet Explorer, Firefox, Safari, and Opera.

Table of Contents

Vulnerabilities

The following table details the number of vulnerabilities and relative danger.

Historical cumulative values are provided in three forms: for all vulnerabilities in the entire of life of these products, for all vulnerabilities that were present within the first 365 days of the first vulnerability reported in the product, and for all vulnerabilities that were present within the last 365 days.

“High severity” values include vulnerability reports that were marked as “highly critical” and above. Relative danger levels are calculated by adding up the square of the criticality levels for each vulnerability report (not critical=1², extremely critical=5²).

A vulnerability is considered unfixed if the vulnerability report does not have a complete vendor patch.

Notice:
Since Internet Explorer 7 was released, Secunia has not indicated which previously known unfixed Internet Explorer 6 vulnerabilities have been re-tested in IE 7, aside from the most recent few (which, by the way, were confirmed to still affect the new version). Secunia has a history of not listing very old vulnerabilities under new versions even if they still apply, and this is as true with Firefox and Opera as is assumed with Internet Explorer. Until Secunia updates the old advisories with an indication of the status in IE 7, this page will assume they still exist.

Notice:
Safari for Windows is still fairly new, so there isn't much data yet. The current figures may not be particularly representative of the overall product.

Security vulnerabilities

Aspect

Internet Explorer

Firefox

Safari

Opera

Historical cumulative values (Product life)

Vulnerability reports

140

77

7

70

High severity vulnerability reports

66

31

5

21

Vulnerability issues

274

271

22

98

Relative danger

1564

739

88

614

Historical cumulative values (from first 365 days)

Vulnerability reports

31

20

7

18

High severity vulnerability reports

13

2

5

4

Vulnerability issues

69

39

22

23

Relative danger

331

156

88

138

Historical cumulative values (from last 365 days)

Vulnerability reports

38

5

2

1

High severity vulnerability reports

1

0

0

0

Vulnerability issues

40

6

3

1

Relative danger

161

19

8

1

Highest values at one time

Vulnerability reports

39

9

2

4

High severity vulnerability reports

5

2

1

1

Vulnerability issues

41

13

3

8

Relative danger

204

44

20

27

Mean average per day (from last 365 days)

Vulnerability reports

38

5

2

1

High severity vulnerability reports

1

0

0

0

Vulnerability issues

40

6

3

1

Relative danger

161

19

8

1

Median average per day (from last 365 days)

Vulnerability reports

38

5

2

1

High severity vulnerability reports

1

0

0

0

Vulnerability issues

40

6

3

1

Relative danger

161

19

8

1

Present values

Vulnerability reports

38

5

2

1

High severity vulnerability reports

1

0

0

0

Vulnerability issues

40

6

3

1

Relative danger

161

19

8

1

Internet Explorer has had 140 vulnerability reports. 25 were marked as moderately critical, 50 were marked as highly critical, and 16 were marked as extremely critical. There are still 38 remaining, including 9 that were marked as moderately critical and 1 that was marked as highly critical.

Firefox has had 77 vulnerability reports. 19 were marked as moderately critical, 31 were marked as highly critical, and 0 were marked as extremely critical. There are still 5 remaining, including 1 that was marked as moderately critical.

Safari has had 7 vulnerability reports. 0 were marked as moderately critical, 5 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.

Opera has had 70 vulnerability reports. 20 were marked as moderately critical, 20 were marked as highly critical, and 1 was marked as extremely critical. There is still 1 remaining, which was marked as not critical.

Publicly disclosed without a patch

Many vulnerabilities are discovered by the browser vendors and patched before they are ever publicly known. Vulnerabilities are most dangerous when they are found elsewhere with no patch available. The following are historical cumulative vulnerability values that only include those vulnerabilities that were publicly known before a patch was available.

Security vulnerabilities (in public)

Aspect

Internet Explorer

Firefox

Safari

Opera

Historical cumulative values (Product life)

Vulnerability reports

97

42

4

31

High severity vulnerability reports

29

7

2

4

Vulnerability issues

127

54

6

36

Relative danger

892

271

40

213

Historical cumulative values (from first 365 days)

Vulnerability reports

22

14

4

14

High severity vulnerability reports

5

1

2

3

Vulnerability issues

31

17

6

19

Relative danger

185

100

40

105

Historical cumulative values (from last 365 days)

Vulnerability reports

38

5

2

1

High severity vulnerability reports

1

0

0

0

Vulnerability issues

40

6

3

1

Relative danger

161

19

8

1

Internet Explorer has had 97 reports of vulnerabilities discovered in the public without a patch. 21 were marked as moderately critical, 17 were marked as highly critical, and 12 were marked as extremely critical.

Firefox has had 42 reports of vulnerabilities discovered in the public without a patch. 11 were marked as moderately critical, 7 were marked as highly critical, and 0 were marked as extremely critical.

Safari has had 4 reports of vulnerabilities discovered in the public without a patch. 0 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical.

Opera has had 31 reports of vulnerabilities discovered in the public without a patch. 10 were marked as moderately critical, 3 were marked as highly critical, and 1 was marked as extremely critical.

Fully-disclosed

The following values only include vulnerabilities that had publicly known exploits or proof-of-concept exploit code before a patch was available, according to Secunia's advisories.

It should be noted that not all theoretical exploits hold the same likelihood of attack. Some vulnerabilities may have publicly available proof-of-concept code that is very difficult to exploit in practice. Criticality levels often provide some indication of the ease of exploitation, but they also represent the sheer potential impact of the flaw whether easily exploitable or not.

Security vulnerabilities (fully-disclosed)

Aspect

Internet Explorer

Firefox

Safari

Opera

Historical cumulative values (Product life)

Vulnerability reports

46

14

4

10

High severity vulnerability reports

18

2

2

1

Vulnerability issues

66

15

6

14

Relative danger

511

75

40

67

Historical cumulative values (from first 365 days)

Vulnerability reports

6

2

4

3

High severity vulnerability reports

1

0

2

1

Vulnerability issues

6

2

6

7

Relative danger

41

13

40

30

Historical cumulative values (from last 365 days)

Vulnerability reports

14

2

2

1

High severity vulnerability reports

0

0

0

0

Vulnerability issues

15

2

3

1

Relative danger

50

5

8

1

Highest values at one time

Vulnerability reports

15

7

2

2

High severity vulnerability reports

3

1

1

1

Vulnerability issues

16

7

3

6

Relative danger

107

31

20

25

Mean average per day (from last 365 days)

Vulnerability reports

14

2

2

1

High severity vulnerability reports

0

0

0

0

Vulnerability issues

15

2

3

1

Relative danger

50

5

8

1

Median average per day (from last 365 days)

Vulnerability reports

14

2

2

1

High severity vulnerability reports

0

0

0

0

Vulnerability issues

15

2

3

1

Relative danger

50

5

8

1

Present values

Vulnerability reports

14

2

2

1

High severity vulnerability reports

0

0

0

0

Vulnerability issues

15

2

3

1

Relative danger

50

5

8

1

Internet Explorer has had 46 fully-disclosed vulnerability reports. 6 were marked as moderately critical, 6 were marked as highly critical, and 12 were marked as extremely critical. There are still 14 remaining, including 3 that were marked as moderately critical.

Firefox has had 14 fully-disclosed vulnerability reports. 2 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.

Safari has had 4 fully-disclosed vulnerability reports. 0 were marked as moderately critical, 2 were marked as highly critical, and 0 were marked as extremely critical. There are still 2 remaining, both of which were marked as less critical or not critical.

Opera has had 10 fully-disclosed vulnerability reports. 3 were marked as moderately critical, 0 were marked as highly critical, and 1 was marked as extremely critical. There is still 1 remaining, which was marked as not critical.

Patch delay

It is also important to consider how quickly each web browser fixes its vulnerabilities. The following table lists the average time taken between Secunia's vulnerability reports and the release dates of their respective patches, if all aging unfixed vulnerabilities (vulnerabilities at least as old as the mean of all fixed vulnerabilities for that browser) were to be fixed today. Data does not include unfixed vulnerabilities less than that age, vulnerabilities with unknown fix dates, or vulnerabilities that were only publicly known after the patch release. Values listed are in days.